IP ranges and NoScript 1.9.6.7

[TestingABE]

Hi! I've noticed that part in the changelog

V 1.9.6
=====================================================================
+ Support for raw IP and subnets with address prefix/mask syntax in
ABE rulesets

I am no expert, but does that mean Youtube's ever-changing IP address can be pinned down in an ABE ruleset?

NetRange: 208.117.224.0 - 208.117.255.255
CIDR: 208.117.224.0/19
NetName: YOUTUBE3
NetHandle: NET-208-117-224-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Assignment
NameServer: DNS1.SJL.YOUTUBE.COM
NameServer: DNS2.SJL.YOUTUBE.COM

According to the above, I guess it would be safe to allow requests from youtube sites to the IP range 208.117.224.0 to 208.117.255.255. If the latest public version of NoScript now allows such things, what's the syntax?
And better yet, does or will NoScript allow the direct use of server names (in this case, DNS1.SJL.YOUTUBE.COM) in ABE rulesets? So we won't have to care about Youtube's registered IP range being modified. If NS allows that, what's the syntax?


Thanks

[Giorgio Maone]

Hi! I've noticed that part in the changelog

V 1.9.6
=====================================================================
+ Support for raw IP and subnets with address prefix/mask syntax in
ABE rulesets

I am no expert, but does that mean Youtube's ever-changing IP address can be pinned down in an ABE ruleset?

Yes it does

NetRange: 208.117.224.0 - 208.117.255.255
CIDR: 208.117.224.0/19
NetName: YOUTUBE3
NetHandle: NET-208-117-224-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Assignment
NameServer: DNS1.SJL.YOUTUBE.COM
NameServer: DNS2.SJL.YOUTUBE.COM

According to the above, I guess it would be safe to allow requests from youtube sites to the IP range 208.117.224.0 to 208.117.255.255. If the latest public version of NoScript now allows such things, what's the syntax?

The CIDR one, i.e.

Code: Select all

Site 208.117.224.0/19
Allow from 208.117.224.0/19
Deny

But maybe I'm missing something, why not just

Code: Select all

Site *.youtube.com youtube.com *.ytimg.com ytimg.com
Allow from *.youtube.com youtube.com *.ytimg.com ytimg.com
Deny

?

And better yet, does or will NoScript allow the direct use of server names (in this case, DNS1.SJL.YOUTUBE.COM) in ABE rulesets?

I'm not sure about what you mean. ABE has always allowed using host names (e.g. youtube.com), which DNS servers translate into IPs (e.g. 208.117.224.1)...

[TestingABE]

The CIDR one, i.e.

Code: Select all

Site 208.117.224.0/19
Allow from 208.117.224.0/19
Deny

Ah good Thanks!
Out of curiousity, what does the /19 stand for? :19 would be port 19 but I don't know about slashes.

But maybe I'm missing something, why not just

Code: Select all

Site *.youtube.com youtube.com *.ytimg.com ytimg.com
Allow from *.youtube.com youtube.com *.ytimg.com ytimg.com
Deny

?

Because sometimes I agree to load youtube from elsewhere, Google Maps for instance as it's the same company. It seems that sometimes, the embedded youtube Flash video needs a connection to one of these IPs in the range given by the whois above.
(Although NoScript doesn't always show it in Tools >> Error console...or does it? All I remember is that sometimes I had to use RequestPolicy to see what ABE was blocking precisely, usually crossdomain.xml files and external SWF. I was using pretty restrictive ABE rules in those tests though)

And better yet, does or will NoScript allow the direct use of server names (in this case, DNS1.SJL.YOUTUBE.COM) in ABE rulesets?

I'm not sure about what you mean. ABE has always allowed using host names (e.g. youtube.com), which DNS servers translate into IPs (e.g. 208.117.224.1)...

I was supposing that dns1 and dns2.sjl.youtube.com would be the right places to target, that they would translate to all IPs in the range. Looks like I was wrong and that it was 208.117.224.0/19 instead.
By "better yet", I meant that because dns1.sjl.youtube.com is a host name, I hoped that it would point to all IPs in youtube's registered range no matter whether this range gets modified or not in the future. Can CIDRs like 208.117.224.0/19 do that? If so it means that maybe my Firewall will finally be able to allow svchost to communicate with Windows Update without having to write TONS of IPs in the rule! Now to find the right CIDRs...


Thank you for the help!

[Giorgio Maone]

Out of curiousity, what does the /19 stand for? :19 would be port 19 but I don't know about slashes.

19 is the netmask in a popular subnet notation.

NoScript doesn't always show it in Tools >> Error console...or does it?

It always does when it blocks something.

By "better yet", I meant that because dns1.sjl.youtube.com is a host name, I hoped that it would point to all IPs in youtube's registered range no matter whether this range gets modified or not in the future.

There's no way to tell that other than performing a DNS query, i.e. using the host name associated with that IP range.

[TestingABE]

Okay thanks, the article explains it very clearly.
For my Firewall, I guess that it just doesn't do DNS queries "on the fly" when a triggered rule contains a host name in it. No fun.

[Mc]

http://toolserver.org/~chm/blockcalc.php?lang=en is a nice tool to get netmasks.

[TestingABE]

Nice. For now I calculate in my head but once I'll be tired of that game, that site will be in bookmarks

As for my firewall, I added several CIDRs relative to Windows Updates...Now instead of 987659686987987986585 addresses I have only four that I enable only when I want to update.
Everything's fine now that I understand netmasks' ways